Skip to content

Commit

Permalink
Merge pull request #6878 from pwhitehead-splunk/support-assume-role-w…
Browse files Browse the repository at this point in the history 
…ith-web-identity

support assumeRoleWithWebIdentity for Route53 issuer
  • Loading branch information
@cert-manager-prow
cert-manager-prow[bot] committed May 14, 2024
2 parents 733aa82 + 44f79d6 commit cd2d71f
Show file tree
Hide file tree
Showing 22 changed files with 1,156 additions and 61 deletions.
35 changes: 35 additions & 0 deletions deploy/crds/crd-challenges.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,41 @@ spec:
Name of the resource being referred to.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
auth:
description: Auth configures how cert-manager authenticates.
type: object
required:
- kubernetes
properties:
kubernetes:
description: |-
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
by passing a bound ServiceAccount token.
type: object
required:
- serviceAccountRef
properties:
serviceAccountRef:
description: |-
A reference to a service account that will be used to request a bound
token (also known as "projected token"). To use this field, you must
configure an RBAC rule to let cert-manager request a token.
type: object
required:
- name
properties:
audiences:
description: |-
TokenAudiences is an optional list of audiences to include in the
token passed to AWS. The default token consisting of the issuer's namespace
and name is always included.
If unset the audience defaults to `sts.amazonaws.com`.
type: array
items:
type: string
name:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
Expand Down
35 changes: 35 additions & 0 deletions deploy/crds/crd-clusterissuers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,41 @@ spec:
Name of the resource being referred to.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
auth:
description: Auth configures how cert-manager authenticates.
type: object
required:
- kubernetes
properties:
kubernetes:
description: |-
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
by passing a bound ServiceAccount token.
type: object
required:
- serviceAccountRef
properties:
serviceAccountRef:
description: |-
A reference to a service account that will be used to request a bound
token (also known as "projected token"). To use this field, you must
configure an RBAC rule to let cert-manager request a token.
type: object
required:
- name
properties:
audiences:
description: |-
TokenAudiences is an optional list of audiences to include in the
token passed to AWS. The default token consisting of the issuer's namespace
and name is always included.
If unset the audience defaults to `sts.amazonaws.com`.
type: array
items:
type: string
name:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
Expand Down
35 changes: 35 additions & 0 deletions deploy/crds/crd-issuers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,41 @@ spec:
Name of the resource being referred to.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
auth:
description: Auth configures how cert-manager authenticates.
type: object
required:
- kubernetes
properties:
kubernetes:
description: |-
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
by passing a bound ServiceAccount token.
type: object
required:
- serviceAccountRef
properties:
serviceAccountRef:
description: |-
A reference to a service account that will be used to request a bound
token (also known as "projected token"). To use this field, you must
configure an RBAC rule to let cert-manager request a token.
type: object
required:
- name
properties:
audiences:
description: |-
TokenAudiences is an optional list of audiences to include in the
token passed to AWS. The default token consisting of the issuer's namespace
and name is always included.
If unset the audience defaults to `sts.amazonaws.com`.
type: array
items:
type: string
name:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
Expand Down
32 changes: 32 additions & 0 deletions internal/apis/acme/types_issuer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,9 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
// configuration for AWS
type ACMEIssuerDNS01ProviderRoute53 struct {
// Auth configures how cert-manager authenticates.
Auth *Route53Auth

// The AccessKeyID is used for authentication.
// Cannot be set when SecretAccessKeyID is set.
// If neither the Access Key nor Key ID are set, we fall-back to using env
Expand Down Expand Up @@ -453,6 +456,35 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
Region string
}

// Route53Auth is configuration used to authenticate with a Route53.
type Route53Auth struct {
// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
// by passing a bound ServiceAccount token.
Kubernetes *Route53KubernetesAuth
}

// Route53KubernetesAuth is a configuration to authenticate against Route53
// using a bound Kubernetes ServiceAccount token.
type Route53KubernetesAuth struct {
// A reference to a service account that will be used to request a bound
// token (also known as "projected token"). To use this field, you must
// configure an RBAC rule to let cert-manager request a token.
ServiceAccountRef *ServiceAccountRef
}

// ServiceAccountRef is a service account used by cert-manager to request a
// token. The expiration of the token is also set by cert-manager to 10 minutes.
type ServiceAccountRef struct {
// Name of the ServiceAccount used to request a token.
Name string

// TokenAudiences is an optional list of audiences to include in the
// token passed to AWS. The default token consisting of the issuer's namespace
// and name is always included.
// If unset the audience defaults to `sts.amazonaws.com`.
TokenAudiences []string
}

// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
// configuration for Azure DNS
type ACMEIssuerDNS01ProviderAzureDNS struct {
Expand Down
94 changes: 94 additions & 0 deletions internal/apis/acme/v1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 34 additions & 0 deletions internal/apis/acme/v1alpha2/types_issuer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,10 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
// configuration for AWS
type ACMEIssuerDNS01ProviderRoute53 struct {
// Auth configures how cert-manager authenticates.
// +optional
Auth *Route53Auth `json:"auth,omitempty"`

// The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
// +optional
Expand Down Expand Up @@ -503,6 +507,36 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
Region string `json:"region"`
}

// Route53Auth is configuration used to authenticate with a Route53.
type Route53Auth struct {
// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
// by passing a bound ServiceAccount token.
Kubernetes *Route53KubernetesAuth `json:"kubernetes"`
}

// Route53KubernetesAuth is a configuration to authenticate against Route53
// using a bound Kubernetes ServiceAccount token.
type Route53KubernetesAuth struct {
// A reference to a service account that will be used to request a bound
// token (also known as "projected token"). To use this field, you must
// configure an RBAC rule to let cert-manager request a token.
ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef"`
}

// ServiceAccountRef is a service account used by cert-manager to request a
// token. The expiration of the token is also set by cert-manager to 10 minutes.
type ServiceAccountRef struct {
// Name of the ServiceAccount used to request a token.
Name string `json:"name"`

// TokenAudiences is an optional list of audiences to include in the
// token passed to AWS. The default token consisting of the issuer's namespace
// and name is always included.
// If unset the audience defaults to `sts.amazonaws.com`.
// +optional
TokenAudiences []string `json:"audiences,omitempty"`
}

// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
// configuration for Azure DNS
type ACMEIssuerDNS01ProviderAzureDNS struct {
Expand Down
Loading

0 comments on commit cd2d71f

Please sign in to comment.